Solved:The dog is definately a lover of the USA...

Status
Not open for further replies.
dawghunter

dawghunter

Posts: 39   +0
'cause he's here with me too. Norton AV found Trojan.Dropper and Trojan.Adclicker and says it deleted them. This was after a routine full system scan. The scan came immediately after strange and vulgar pop up ads appeared (depsite a firewall, pop-up blocker).

Well, I have found most or all of the following in my trusted sites:

*whataboutadog.com
*doginhispen.com
88.80.5.21

Have done all Norton called for, including the turning off of the infamous sysem restore. The dog comes home. If I delete it from the trusted box, it comes back when I restart my computer.

I downloaded FindAWF. The attachment of findings is included on this post.

I downloaded HJT. The attachment of findings is included on this post.

Thanks Howard and all you folks for your info and help,
 
Hello and welcome to Techspot.

You`re running an outdated version of HJT. See HERE.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\verizon\bak\McciTrayApp.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\hpcoretech\bak\data\EvntData-463817067.xml"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
"C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
"C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
Click to expand...

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Also, please attach a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK, work completed...

I have attached a new awf and hjt (using the new hjt tool...thanks for that note).

They are labeled as before with the addition of 101107 at the end to indicate newest files.

Where do I head now, and thanks Howard for your help.

DawgHunter (but please call me Tom the lover of MGB's...)
 
Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\bak
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\bak
C:\Program Files\verizon\bak
C:\Program Files\Windows Media Player\bak
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI.ACE\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Iomega\AutoDisk\bak
C:\Program Files\Iomega\DriveIcons\bak
C:\Program Files\Iomega\DriveIcons\bak
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\bak
C:\Program Files\Verizon Online\Help Support\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
Click to expand...


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
New AWF...

OK Howard, done. Attached is newest AWF. Note the letter "B" which means this is the newest one.
 
There`s still some bak files left to deal with.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\HP\hpcoretech\bak\data\EvntData-463817067.xml"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
Click to expand...

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK, newest awf posted

labeled with a "C" for newest scan.

Man, Howard, are you in the UK? Must be about 6PM there...
 
Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak
C:\Program Files\HP\hpcoretech\bak
Click to expand...


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint manager
Viewpoint toolbar
Power Scan
AWS
WeatherBug

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Viewpoint Manager Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewpointService.exe
Weather.exe
powerscan.exe
ViewMgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {4445ba54-fb65-47ab-8df7-52aafca46154} - C:\WINDOWS\system32\dpvcmp.dll (file missing)

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://di.imgag.com/imgag/cp/install/Crusher.cab

Fix all O18 - Protocol: entries.

O20 - Winlogon Notify: dpvcmp - dpvcmp.dll (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint<Delete the entire folder.
C:\Program Files\AWS<Delete the entire folder.
C:\Program Files\Power Scan<Delete the entire folder
C:\Program Files\QuickTime\bak<Delete the entire folder.
C:\Program Files\HP\hpcoretech\data\EvntData-533031436.xml
C:\Program Files\QuickTime\qttask.exe

Reboot into normal mode and rehide your protected OS files.

Download and install Quicktime again.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK, files ready

Did all you said. Quicktime is reloaded. Here's latest awf and hjt files

awf has a "E" in it, and hjt has "A" in it.

Regards from the Colonies

DawgHunter aka Tom the former MGB owner
 
Your HJT log is clean.

Theres only one bak entry left to deal with in your awf.txt.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\HP\hpcoretech\bak\data\EvntData-463817067.xml"
Click to expand...

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK forgot to say that when I restarted in normal mode the dog was still barking, so I got him out of the trusted zone. argh. Doing your suggested fix now...

Attached "F" awf file ready to see....

Might have to get out of here for a bit but I'll be back if not tonight tomorrow it's 719pm here now so I know its late there. Get some sleep dude. You are awesome!
 
Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\HP\hpcoretech\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
File G

OK Howard, awf file "G" coming to you.

It's 22:43EDST here, and I need to get to sleep so I need to sign off for now. I suppose you must be doing a red-eye tonight!

I appreciate your help and I'll check back here later. Looking forward to resolving this thing.

'68 MGB: Last of the leather seaters...


Dawg aka Tom
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\HP\hpcoretech\data\EvntData-463817067.xml
C:\Program Files\HP\hpcoretech\bak

Reboot into normal mode and rehide your protected OS files.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK Howard, I'm back. Sorry for the delay. It's 17:57 EDST here. Initiating your fixes now...

I'll be back!

10/13/2007 23:59

Hey Howard, I am at Step 9 (Ccleaner) so far with the other steps, so good. TrendMicro found a trojan in C:|Windows|cpa.exe that was cleaned.

I have cleaned 50 of 450+ infected files with Ccleaner, but now it want's me to buy the full program to finish the job. Recommended?

Thanks.


DawgHunter aka Tom the Colonial
 
dawghunter said:
10/13/2007 23:59 I have cleaned 50 of 450+ infected files with Ccleaner, but now it want's me to buy the full program to finish the job. Recommended?
Click to expand...

What wants you to buy the full programme?

Regards Howard :)
 
When I went to Step 9 and downloaded Ccleaner (which showed http://www.filehippo.com/download_ccleaner/) as the website, it loaded OK, then tested something like 400 of 450 "infections) then stopped and said in order to have them all cleaned I'd need the full version for $29.95 US). I tried it again with the same results, only it showed then it had alread cleaned a previous 50.

Also, I never saw an Old prefetch Data option as indicated in Step 9.

I didn't want to prceed to Step 10 till we cleared up Step 9.
 
OK will do.

OK, Step 9 completed. That newer link to Ccleaner worked fine. Old Prefetch Data option unchecked.

Working on Step 10 now, Tool 1.

15:12 EDST

Dawg aka Colonial
 
Ok mate, I`ll alter the link in the main sticky, so that no one else has that problem.

Regards Howard :)

This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK, steps all done...

20:59
11/15/2007

Howdy Howard. All 15 steps run, and the three reports are attached.

1. HJT (just done)
2. Combofix
3. AVG Antispyware

Panda Antirootkit says NO ROOTKITS FOUND.

AVG Antispyware Step 14 found 6 items, quarantined 2 (ADWARE.HOTBAR & TROJAN.ZAPCHAST) but refused to quarentine the cookies; insisted on deleting them. Couldn't make it change so it deleted them and quarantined the other 2.

Other than that, things seem to go swimingly.

Dawg aka The Colonial Pest
 
Status
Not open for further replies.

Similar threads

midian182
Google's $147 million offer to Epic Games: a desperate bid to bring Fortnite to the Play...
Replies
7
Views
433
Sean T
Sean T
midian182
China calls the US an "Empire of Hacking," citing 2017 Wikileaks files
2
Replies
26
Views
868
yRaz
yRaz
midian182
The official GTA VI trailer is here: 2025 release date, no confirmation of a PC version...
Replies
17
Views
532
Phyrino
P

Latest posts

Back